Many of the bill’s problems stem from its vague language. One particularly dangerous provision, designed to enable corporations to obtain and share information, is drafted broadly enough to go beyond just companies, creating a government access loophole.

What is the Government Access Loophole?

The bill grants new powers to "cybersecurity providers" and "self-protected entities" and it specifically excludes the government from being considered a “cybersecurity provider.” But due to a drafting discrepancy, the government could fall within the definition of a “self-protected entity” and obtain many of the additional powers granted by CISPA.

This is because a “cybersecurity provider” must be a “non-governmental entity,” but the definitions of “self-protected entity” or a “protected entity” do not have this limitation. These definitions are critical, as they specify who gets to wield CISPA authority to obtain and transfer your information.

What Does the Loophole Mean?

While the intent of CISPA is to give companies this additional authority, under these definitions, EFF is concerned that the government could also assert some of the new powers granted by CISPA: to “use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property” of the government, so long as it is for “cybersecurity purposes.”

In practical terms, it’s unclear what is exactly covered by such a "cybersecurity system." Under the vague definition, such a "system" could range from basic defensive software tools, like port-scanning, to more aggressive offensive countermeasures. For more details on the term, please see our FAQ.

If “cybersecurity systems” include tools for aggressive countermeasures, the clause is particularly dangerous because the government could use it to further expand its domestic cybersecurity arsenal. In one instance, the government already uses EINSTEIN, which is software that identifies threats on federal government networks and forwards the information to technicians. If considered a self-protected entity, the government could claim CISPA provided the authority to change EINSTEIN to not only identify and obtain threat information, but to launch aggressive attacks that could cripple innocent users’ computers. Some details about EINSTEIN 3, the latest version we know of, are classified, but security researchers have attempted to assess its security value.

Narrow Limits on the Loophole

The bill does limit this potential government power: it doesn't allow a government-controlled "cybersecurity system" to be used "on a private-sector system or network to protect such private-sector system or network.” However, it only protects against one type of government abuse, and leave holes for other types—what about using a “cybersecurity system” to protect a different private sector system or network? Or to protect a public-sector system or network? What about a “cybersecurity system” owned by a State government?

The Fourth Amendment limits the government’s ability to use CISPA powers, but there would still be constitutionally dangerous implications: the government would also be granted broad legal immunity for any "decisions based on" cyber threat information, and CISPA's "notwithstanding” clause could override government privacy laws like the Privacy Act (which protects personal information in government records) and the Computer Matching and Privacy Protection Act (which limits the use of automated matching of government records).

As it stands, CISPA is dangerously vague, and should not allow for any expansion of government powers through a series of poorly worded definitions. If the drafters intend to give new powers to the government’s already extensive capacity to examine your private information, they should propose clear and specific language so we can have a real debate.